This email contains information about a potential security vulnerability related to customers who have enabled remote access via the mobile server on XProtect Go, Essential and Express.

To make our entry-level VMS easier to use, we initially designed the installation/upgrade process in a way that added a default basic user with a default password. This practice potentially allows unauthorized people to access camera feeds if the user is not deleted or password changed after the installation/upgrade process.

In a recent security policy review, and with input from an APAC community partner, we have decided to address and change this practice immediately. Ensuring the security and integrity of all Milestone installations will always remain a top priority to us and this practice does not adhere to our cybersecurity standards.

Affected products

No versions of Expert or Corporate are affected.

None of the Husky NVRs are affected.

XProtect Professional and XProtect Enterprise only if upgraded from the entry-level VMS listed below.

XProtect Express 1.0a to 2017 R1

XProtect Essential 2.0a to 2017 R1

XProtect Go all versions (all discontinued)

We recommend taking action as described below

Check to see if any of your customers are running on any of the affected product versions: To do so, log in to the Customer Dashboard, navigate to Software Registration, select Customers and Licenses and click the License tab to search for affected products in order to identify the customers that potentially have this issue.

Check for the vulnerability on your customer´s installation: Open the "XProtect Management Application" and navigate to "Users". If user “admin” with User Type Basic is present, the issue could be present.

SOLVE the issue in your customer’s installation: You can mitigate the issue in two ways:

Through update: Update the installation to the 2017 R2 version of the products available June 8. None of the XProtect 2017 R2 products will have this issue.

Instantly: Right-click on the user “admin” and select either "Delete User" or "Properties --> User Information" to change the password.

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.